Uploaded image for project: 'Calcite'
  1. Calcite
  2. CALCITE-1915

Workaround Jetty SpnegoAuthenticator bug where no challenge is sent

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • avatica-1.11.0
    • avatica
    • None

    Description

      I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC reads (to me) as the following:

      When a client sends an authorization header that is not capable of being used to authenticate via SPNEGO, the server should send back the WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401. Jetty will only send this challenge+401 when no Authorization header is provided.

      In the case where Avatica is sitting behind a reverse-proxy, the proxy may choose to pass along another authorization header. Jetty (and Avatica) should still respond to say "You need to authenticate over SPNEGO".

      At least Jetty dev seems to agree with my assessment: https://github.com/eclipse/jetty.project/issues/1698. We can easily work around this in Avatica while we wait to get a Jetty release which has this fixed.

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. CALCITE-2972 Upgrade jetty to 9.4.15.v20190215

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #14

          Web Link Jetty issue #1698

          Activity

            People

              elserj Josh Elser
              elserj Josh Elser
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: